quasar | 66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf

General

Target

x.ps1
Size

757KB
MD5

e9bf208781b60d91292c6177677e27f8
SHA1

364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
SHA512

3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
SSDEEP

12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Loads dropped DLL 1 IoCs

pid	Process
4876	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4876 set thread context of 3332	4876	powershell.exe	85

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4876	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4876	powershell.exe
4876	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	3332	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1120	4876	powershell.exe	83
PID 4876 wrote to memory of 1120	4876	powershell.exe	83
PID 1120 wrote to memory of 2160	1120	csc.exe	84
PID 1120 wrote to memory of 2160	1120	csc.exe	84
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85
PID 4876 wrote to memory of 3332	4876	powershell.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\x.ps1
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2m1qpj5s\2m1qpj5s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp" "c:\Users\Admin\AppData\Local\Temp\2m1qpj5s\CSC41EC9B68DEF54519B6F7D9197E8B28E6.TMP"
    3⤵
    PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2m1qpj5s\2m1qpj5s.dll

Filesize
3KB

MD5
035f331f96ffbabc2dd987b262fdc45d

SHA1
b2d3b5c9dd098dd12619e277c4e45fd4cc4f37fe

SHA256
437b4484b82248346c2e37ffbceb12e5ffb9fe5a5108e056d91328930ecb976b

SHA512
87c10a178f3f5993500d6a4a8362e73aa93f0c02cfe7b86f2c45b509d3e0e510366deae8e30220bd84a67ef2f952407310b5ed7e466dc39f8ed0954a00888cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp

Filesize
1KB

MD5
e735e24e6d523712f04d7124ca0baf5a

SHA1
54d45c8ceb9d3a76624438d635649cbb43d32d2f

SHA256
b10f190ca5469562c794ad1ef67d072162bb10881e57182de9683d6e4fe4dfa2

SHA512
f619e0957366fc307d3b161bd2bb4075d91eceb118ca335c4b5ab03172efcb432f8f8715cfdfa5fa32e82cca67739c0c4a1729812d0f33c70d68b999a812ccb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwce1nxt.4s2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9153.tmp

Filesize
12KB

MD5
e6b7078b6b145749c223b63690cf7822

SHA1
562145c8fdef211277dcfe2170cad2ba862dfdca

SHA256
7c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620

SHA512
0a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2m1qpj5s\2m1qpj5s.0.cs

Filesize
241B

MD5
4af5e3c2858754904a2675fd9310587c

SHA1
5beab66acddbfced7dac0eca69f2dd2e46dfadb5

SHA256
89f9ef1174433b2ce1693d1f9b89b41f9fbe01a012a8e05a77b90d5401dfe372

SHA512
ce49c523f2a9ec40659e1577349175e232ec2f96e9b0c773e68159629220872e89d4dc2631e748cea86f243623891023f97a6ceee9944577e0ba41456538314d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2m1qpj5s\2m1qpj5s.cmdline

Filesize
369B

MD5
0ca14091603750fa9561255dfcd31569

SHA1
3c2e7f8b692bd2c428bd995292f695adab1e257d

SHA256
6f9767fc69d3dd20dcf651cd25f9f105d89ce5b6b3060d1b530296a4b8498515

SHA512
495f255c045e0e80175ca246477c4a0438c2f3382d0b3ce3aad0552a3bd2d3be52d77ce7bb0444ff569952ada43d9480b47f88739dfbe4adbef154fc67b54106

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2m1qpj5s\CSC41EC9B68DEF54519B6F7D9197E8B28E6.TMP

Filesize
652B

MD5
a386c41ceaf737e6fc83375e42c38171

SHA1
5d0994375bf031ddd5c973ce9babf662a443d56b

SHA256
c3900c158d3f52b1ddafab06a36ce92dbfc62dd7087c08c4cd7cbff670d538be

SHA512
3c86721120c266a3f5b45251ff7c1a641dafc456696c7563e4de4ce8c56ff48fd11b4020aad2d23a0c10d0bf33147f615489a2f8564d15d6ed3eb54ec1d53640

Download Submit
memory/3332-39-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/3332-41-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/3332-44-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/3332-43-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/3332-42-0x0000000006D60000-0x0000000006D6A000-memory.dmp

Filesize
40KB

Download
memory/3332-40-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/3332-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3332-38-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/3332-37-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/4876-36-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/4876-35-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/4876-0-0x00007FFEC6143000-0x00007FFEC6145000-memory.dmp

Filesize
8KB

Download
memory/4876-31-0x00000209CE1F0000-0x00000209CE204000-memory.dmp

Filesize
80KB

Download
memory/4876-12-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/4876-1-0x00000209B5CB0000-0x00000209B5CD2000-memory.dmp

Filesize
136KB

Download
memory/4876-26-0x00000209B5CF0000-0x00000209B5CF8000-memory.dmp

Filesize
32KB

Download
memory/4876-11-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing